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Description 

AN APPARATUS, METHOD, AND 
SYSTEM FOR DOCUMENTING, 
PERFORMING, AND ATTESTING TO 
INTERNAL CONTROLS FOR AN 
ENTERPRISE 

TECHNICAL FIELD 

[0001] Field of the invention 

The invention relates generally to computer software program products 
and more particularly to automation of enterprise, public entity, and 
corporate governance, documentation, reporting, and management of 
financial controls such as mandated in the Sarbanes-Oxley Act of 2002 
and similar requirements of regulatory bodies. 

[0002] Definitions 

The description of the invention will utilize certain terms of art known to 
those skilled in the practice of audit, public accounting, corporate 
governance, internal controls, financial management, and financial 
reporting. The following terms are taken from references and incorporated 
herein for convenience for use in the claims. 



[0003] 

Sources/References: 



Page 2 of 5 7 



1 . COSO ERM Framework; page 33. 

2. Sarbanes-Oxley and the New Internal Audit Rules; Robert Moeller; 
page 135. 

3. Source: Internal Control - Integrated Framework (Executive 
Summary); COSO ERM Framework. 

4. Source: How to Comply with Sarbanes-Oxley Section 404; Michael 
Ramos; page 134. 

5. Source: Evaluating Internal Controls by Ernst & Young 

6. Financial Accounting by Robert Eskew and Daniel Jensen 

[0004] Definitions 

COSO The Organization 

COSO is a voluntary private sector organization dedicated to improving 
the quality of financial reporting through business ethics, effective internal 
controls, and corporate governance. COSO was originally formed in 1 985 
to sponsor the National Commission on Fraudulent Financial Reporting, 
an independent private sector initiative which studied the causal factors 
that can lead to fraudulent financial reporting and developed 
recommendations for public companies and their independent auditors, for 
the SEC and other regulators, and for educational institutions. 

[0005] 

COSO Enterprise Risk Management Framework 
Recognizing the need for definitive guidance on enterprise risk 
management, COSO initiated a project to develop a conceptually sound 
framework providing integrated principles, common terminology and 
practical implementation guidance supporting entities' programs to 
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develop or benchmark their enterprise risk management processes. A 
related objective is for this resulting framework to serve as a common 
basis for managements, directors, regulators, academics and others to 
better understand enterprise risk management, its benefits and limitations, 
and to effectively communicate about enterprise risk management issues. 

[0006] 

Enterprise Risk Management (ERM) 

Enterprise risk management is a process, effected by an entity's board of 
directors, management and other personnel, applied in strategy setting 
and across the enterprise, designed to identify potential events that may 
affect the entity, and manage risks to be within its risk appetite, to provide 
reasonable assurance regarding the achievement of entity objectives. The 
underlying premise of enterprise risk management is that every entity, 
whether for-profit, not-for-profit, or a governmental body, exists to provide 
value for its stakeholders. All entities face uncertainty, and the challenge 
for management is to determine how much uncertainty the entity is 
prepared to accept as it strives to grow stakeholder value. Uncertainty 
presents both risk and opportunity, with the potential to erode or enhance 
value. Enterprise risk management provides a framework for management 
to effectively deal with uncertainty and associated risk and opportunity and 
thereby enhance its capacity to build value. Enterprise risk management 
consists of eight interrelated components. These are derived from the way 
management runs a business, and are integrated with the management 
process. The components are: Internal Environment, Objective Setting, 
Event Identification, Risk Assessment, Risk Response, Control Activities, 
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Information and Communication, and Monitoring. 

[0007] Internal Control Integrated Framework 

The report entitled "Internal Control Integrated Framework", was 
commissioned by the Committee on Sponsoring Organizations of the 
Treadway Commission commonly referred to as COSO. It establishes a 
common definition of internal control that services the needs of different 
parties for not only assessing their control systems, but also determining 
how to improve them. 

[0008] Internal Control 

Internal control is broadly defined as a process, effected by an entity's 
board of directors, management and other personnel, designed to provide 
reasonable assurance regarding the achievement of objectives in the 
following categories: Effectiveness and efficiency of operations, Reliability 
of financial reporting, Compliance with applicable laws and regulations. 
Internal control consists of five interrelated components. These are 
derived from the way management runs a business, and are integrated 
with the management process. The components are: Control 
Environment, Risk Assessment, Control Activities, Information and 
Communication, and Monitoring. 

[0009] Control Objective 

Control Objectives are quantifiable, measurable, achievable business 
goals. Within this context, Control Objective relates to the preparation of 
reliable published financial statements, including interim and condensed 
financial statements and selected financial data derived from such 
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statements, such as earnings or Net Asset Value (NAV). Within the 
context of COSO, objectives can be Strategic, Operational, Reporting or 
Compliance related in nature. 

[0010] Operations Objectives 

Operations objectives relate to the effectiveness and efficiency of the 
entity's operations. They include related sub-objectives for operations, 
directed at enhancing operating effectiveness and efficiency in moving the 
enterprise toward its ultimate goal. Operations objectives need to reflect 
the particular business, industry and economic environments in which the 
entity functions. The objectives need, for example, to be relevant to 
competitive pressures for quality, reduced cycle times to bring products to 
market or changes in technology. Management must ensure that 
objectives reflect reality and the demands of the marketplace, and are 
expressed in terms that allow meaningful performance measurements. A 
clear set of operations objectives, linked to sub-objectives, is fundamental 
to success. Operations objectives provide a focal point for directing 
allocated resources; if an entity's operations objectives are not clear or 
well conceived, its resources may be misdirected. 

[0011] 

Reporting and Financial Reporting Objectives 
Reliable reporting provides management with accurate and complete 
information appropriate for its intended purpose. It supports 
management's decision making and monitoring of the entity's activities 
and performance. Examples of such reports may include results of 
marketing programs, daily sales flash reports, production quality, and 
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employee and customer satisfaction results. Reliable reporting provides 
management reasonable assurance of preparation of reliable reports for 
external dissemination. Such reporting includes financial statements and 
footnote disclosures, management's discussion and analysis, and reports 
filed with regulatory agencies. 

[0012] Compliance Objectives 

Entities must conduct their activities, and often take specific actions, in 
accordance with relevant laws and regulations. These requirements may 
relate to markets, pricing, taxes, the environment, employee welfare and 
international trade. Applicable laws and regulations establish minimum 
standards of behavior, which the entity integrates into its compliance 
objectives. For example, occupational safety and health regulations might 
cause a company to define its objective as, "Package and label all 
chemicals in accordance with regulations." In this case, policies and 
procedures would deal with communication programs, site inspections and 
training. An entity's compliance record can significantly either positively or 
negatively affect its reputation in the community and marketplace. 

[0013] Top-level Reviews 

Management at various levels should review the results of performance, 
contrasting those results with budgets, competitive statistics, and other 
benchmark measurements. Management actions to follow-up on the 
results of these top-level reviews and to take corrective action represent a 
control activity. 

[0014] Direct Functional or Activity Management 
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Managers running functions or activities review operational reports. A 
manager responsible for a bank's consumer loans reviews reports by 
branch, region and loan (collateral) type, checking summarizations and 
identifying trends, and relating results to economic statistics and targets. 
In turn, branch managers receive data on new business by loan-officer 
and local-customer segment. Branch managers also focus on compliance 
issues, reviewing reports required by regulators on new deposits over 
specified amounts. Reconciliations are made of daily cash flows, with net 
positions reported centrally for overnight transfer and investment. 

[0015] Information Processing 

A variety of controls are performed to check accuracy, completeness and 
authorization of transactions. Data entered is subject to on-line edit checks 
or matching to approved control files. A customer's order, for example, is 
accepted only after reference to an approved customer file and credit limit. 
Numerical sequences of transactions are accounted for; exceptions are 
followed up and reported to supervisors. Development of new systems 
and changes to existing ones are controlled, as is access to data, files and 
programs. 

[0016] Physical Controls 

Equipment, inventories, securities, cash and other assets are secured 
physically and periodically counted and compared with amounts shown on 
control records. 

[0017] Performance Indicators 

Relating different sets of data -operating or financial -to one another, 
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together with analyses of the relationships and investigative and corrective 
actions, serves as a control activity. Performance indicators include, for 
example, staff turnover rates by functional unit. By investigating 
unexpected results or unusual trends, management identifies 
circumstances where an insufficient capacity to complete key processes 
may mean that objectives have a lower likelihood of being achieved. How 
managers use this information -for operating decisions only, or to also 
follow up on unexpected results reported by external financial reporting 
systems -determines whether analysis of performance indicators serves 
operational purposes alone or external financial reporting control purposes 
as well. 

[0018] Segregation of Duties 

Duties should be divided or segregated among different people or 
functions to reduce the risk of error or inappropriate actions. This is a 
basic and important internal control procedure. 

[0019] 

Preventive, Detective, and Corrective Control Classifications 
Controls can be designed to either 1 ) Identify errors as they occur and 
prevent them from further processing; or 2) Detect and correct errors that 
already have entered the system. There are trade-offs for each approach. 
Preventive controls are more timely and help ensure that errors are never 
recorded in the accounting records to begin with. Detective controls may 
be cheaper to design and perform but are performed after the fact, 
potentially compromising the accounting system for extended periods of 
time. Both types of controls contain both an error detection and correction 
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component. 

[0020] Control Impact 

Controls have varying degrees of importance within companies. 
Companies must distinguish between routine, key, and entity level 
controls. Routine controls, by themselves, are considered less material in 
nature than key or entity level controls thus having less impact. It is critical 
for companies to identify this impact level for their controls in order to 
prioritize which controls need constant monitoring, testing, and evaluation. 
This ensures that company resources are utilized in the most efficient 
manner and that proper attention is given to areas of higher risk. 

[0021] Control Evaluation 

In order to maintain an adequate internal control infrastructure, all 
standards (and now law) prescribe that management should regularly 
evaluate the effectiveness and efficiency of the controls that have been 
instituted. There are various methods by which management would 
perform Control Evaluations including Control Self Assessment, Peer 
Review, and Internal Audit work-plans. The goal of a Control Evaluation is 
to determine if the Control properly mitigates the associated risk and if it is 
efficient in doing so. It is necessary to determine if the control should be 
kept as is, modified or replaced. 

[0022] Control Test 

A Control Test is an activity performed for a particular control that will 
provide evidence to enable management to determine if that control is 
operating effectively. There are a number of factors that go into 
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determining what type of test is performed, how often, by whom, and to 
what extent. 

[0023] Accounting Process 

In general, the Accounting Process entails identifying, measuring, 
recording, and communicating economic information to permit informed 
judgments and decisions by users of the information. In order to achieve 
this objective, individual Accounting Processes are established for the 
significant accounts of an organization. Collectively, these individual 
Accounting Processes exist to enable the overall Accounting Process. 

[0024] Accounting Sub-Process 

At a more detailed level, sets of rules and procedures, each called an 
Accounting Sub-Process, is defined for specific accounts to achieve the 
aforementioned for each Accounting Process. 

[0025] Risk 

Risks are potential or existing barriers to achieving Control Objectives. 

[0026] 

Control (Control Activity or Control Point) 

A Control is a process or activity put in place within the business to 
manage risks. Controls can be set up to run automatically within systems 
or can be manually performed by employees on a regularly scheduled 
basis or as needed. Controls can also be designed to prevent risks from 
occurring or for detecting and correcting problems as or shortly after they 
occur. Controls can be of varying degree of importance depending on the 
risk that the control is designed to mitigate and at what level in the 
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organization the control resides. Controls are also referred to as Control 
Points which as the term implies, are designed to mitigate risks at specific 
points in a process or at a critical review time. 

[0027] Control Definition 

Control Definition is the end result of a process of determining and 
documenting how, when, and by whom the Control is to be performed. 
The Control Definition includes either general guidance or specific rules 
for performing the control and determining whether or not the risk has 
been properly mitigated. 

[0028] Control Self-Assessment 

Control Self-assessment is a method of control review by which a 
company can evaluate control effectiveness. These assessments are 
generally performed by employees that are involved in the actual process 
that is being assessed. Self-assessments allow companies to empower 
individuals to evaluate the effectiveness of their own control assignments. 
This is particularly important as control theory evolves to a decentralized 
approach where all employees should have a role in properly controlling a 
company. 

[0029] Remediation 

Remediation is a process by which controls deemed ineffective through 
evaluation, assessment, or testing are improved or replaced in order to 
properly mitigate their associated risk. This process needs to be well 
documented and can also lead to a public disclosure if the control 
ineffectiveness was judged to be of a material nature. 
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[0030] Exception 

An exception is an outcome of a control evaluation in which the control is 
determined to not be functioning as originally designed. An exception by 
itself does not necessarily indicate a control breakdown. Judgment is 
rendered to determine if a remediation is necessary. 

[0031] Monitoring 

Internal control systems need to be monitored-a process that assesses 
the quality of the system's performance over time. This is accomplished 
through ongoing monitoring activities, separate evaluations or a 
combination of the two. Ongoing monitoring occurs in the course of 
operations. It includes regular management and supervisory activities, and 
other actions personnel take in performing their duties. The scope and 
frequency of separate evaluations will depend primarily on an assessment 
of risks and the effectiveness of ongoing monitoring procedures. Internal 
control deficiencies should be reported upstream, with serious matters 
reported to top management and the board. 

[0032] 

Auditor Control Objective 

An Auditor Control Objective is slightly narrower in scope than a Business 
or Control Objective and has a different purpose. An Auditor Control 
Objective is a goal that an external auditor would test against to ensure 
that numbers generated by a particular process were accurately arrived at 
and materially correct. If the auditor determines through testing that the 
Auditor Control Objective has been met, the auditor can then rely on the 
materiality of the numbers without manually calculating and tallying every 
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transaction within the process. 

[0033] Standard Errors (or Assertions) 

Financial statement amounts and disclosures embody what are known as 
financial statement assertions. These assertions are further collectively 
broken down into various assertions or standard errors, characteristics of 
accuracy over the financial statements amounts and disclosures e.g. Does 
the asset exist (existence)? Did the transaction occur (occurrence)?. 

[0034] Financial Statement Accounts 

Financial Statement Accounts are those accounts that are listed on the 
Financial Statements for the purpose of reporting on economic 
performance and status of a business entity as a whole, prepared for all 
decision makers outside the company. 

[0035] References 

A reference is a piece of work, either a narrative or diagram, containing 
useful information that an employee or auditor can utilize (or refer to) if 
needed while performing control related activities. 

[0036] 

Unqualified Attestation 

In the context of Sarbanes-Oxley Section 404, an Unqualified Attestation 
is an External Auditor's communication of a positive conclusion about the 
reliability of management's assessment of the effectiveness of the 
company's internal control over financial reporting. An Unqualified 
Attestation is given only when there are no identified material weaknesses 
and when there have been no restrictions on the scope of the auditor's 
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work. 

[0037] COSO Definition of Internal Control 

Internal control is a process, effected by an entity's board of directors, 
management and other personnel, designed to provide reasonable 
assurance regarding the achievement of objectives in the following 
categories: Effectiveness and efficiency of operations, Reliability of 
financial reporting, Compliance with applicable laws and regulations 

BACKGROUND ART 

[0038] 

Key Concepts 

Internal control is a process. It is a means to an end, not an end in itself. 
Internal control is effected by people. It's not merely policy manuals and 
forms, but people at every level of an organization. Internal control can be 
expected to provide only reasonable assurance, not absolute assurance, 
to an entity's management and board. Internal control is geared to the 
achievement of objectives in one or more separate but overlapping 
categories. Multinational, diversified public corporations may have in 
excess of 1000 control objectives in management accounting, financial 
reporting, and compliance with legal requirements. Supporting each 
objective are multiple procedures and controls. A company may have 
many thousand controls, which may be applicable daily, weekly, monthly, 
or quarterly according to their risk and benefit to the shareholders. It is 
traditional that, guided by external auditors, the CFO and his staff created 
policies and procedures in printed paper form which merely documented 
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controls, what were best practices, without absolutely making sure that all 
employees followed the policies through. These were referred to as the 
control binders. Testing the effectiveness and implementation of these 
best practices consisted of periodic meetings between performers and 
auditors to verbally confirm that the policies were established, still 
applicable, and followed. Staying in compliance by ensuring that all of 
these control activities are executed, remediating errors, and attesting to 
their correctness is now mandated by SEC rules implementing the 
Sarbanes-Oxley Act of 2002. 

[0039] Business people, regulatory organizations and investors have become 
acutely aware of irregularities in financial control management. The 
Sarbanes-Oxley Act supported by all but 3 members of Congress was 
passed in response to the breakdown in corporate checks and balances 
that cost investors hundreds of billions of dollars in losses. 

[0040] For too long, too many companies have lacked adequate internal controls. 
In recent years more than a thousand public companies have issued 
corrections for errors in their financial statements. Auditors who used to 
test all the controls in which they were relying annually, cut back on the 
level of their tests significantly as they faced pressures to reduce their 
fees. 

[0041] In the process of documenting their existing financial control environments 
which many had assumed were essentially complete, project managers 
have discovered a significant level of effort in the level of testing needed, 
the addressing of deficiencies discovered, and the documentation 
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sufficient to support attestation by the auditors. 

[0042] Other categories of compliance mandates could fall in a wide range of 
areas, including industry-specific (e.g. HIPPA), safety-related (OSHA), 
quality-related (ISO 9000, six sigma), global (NAFTA, WTO), or financial 
markets-related (NASDAQ, NYSE). They could be directed to customer 
support (service level agreements), banking (lending covenants), or 
supplier requirements (terms of purchasing agreements). Finally and 
perhaps more commonly, organizations will develop company-specific 
policies, procedures, and tasks which will incorporate the operating and 
cultural environment of the company and industry. 

[0043] 

As if designing, implementing, running and evaluating the system were not 
enough, companies will need to identify factors and drivers of change to 
the financial control management system and quickly make and 
implement those changes on a regular and timely basis. A number of 
internal and external factors can drive the change. Internally, they include 
new corporate policies (in any functional area); the acquisition of a 
company or product line and major change in operational performance; 
and changes in personnel, documents or information. External factors that 
will drive changes to the financial control system include regulatory 
changes (e.g. new sections of federal law, new interpretations of 
accounting standards, tax law), competitive actions, supplier agreements, 
and lending institutions among others. Therefore, not only will establishing 
a comprehensive, systematic financial control system take time, training, 
and money, maintaining and sustaining it will require constant monitoring, 
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evaluation, and maintenance. 

[0044] The current problem with manuals of procedures is that there is no 

economically repeatable way to analyze the degree of compliance over 
time or across organizational entities. Nor is there a way to consistently 
score and evaluate how an organization is improving over time. There 
may not be objective measurements of the effectiveness of the control or 
tracking of remediation when controls are found ineffective. Nor is there 
enough information to make a business judgment on the urgency or 
importance of correcting an error or omission. A manual report on 
compliance to control binders cannot be automatically rerun to check if 
corrections have been effective. 

DISCLOSURE OF INVENTION 

[0045] Summary of Invention 

Accordingly, what is needed is an improved system of providing processes 
and automation to make compliance to new standards of Internal control 
successful, economical, and verifiable. The present invention includes 
both apparatus and methods to automate both the efficient establishment 
of an complete and automated control system as well as ongoing, 
continuously measured and improved processes of ensuring appropriate 
internal control. 

[0046] 

During the design and deployment phase which encompasses installation, 
configuration, and evaluation phases of deploying a system of controls, 
the present invention increases productivity by requiring lower skill levels 
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for participation. A template-tized creation system allows non- 
programmers to develop systems of controls, evaluations, and tests for 
systems they are familiar with as users or financial professionals. 

[0047] The underlying architecture uses twin hierarchies cross linked to each 

other as well as to lists of context data to provide efficiency, flexibility and 
to provide for better analysis of resulting transactional data. One hierarchy 
provides a framework to organize possibly thousands definitions of 
financial controls and their associated evaluations and tests. The other 
hierarchy provides a framework to describe an enterprise or organizational 
structure ultimately to the level at which user roles to be associated with 
the design and operation of financial controls can be automated. 

[0048] Each member of the definition hierarchy has a data element specifying its 
frequency of application and a relationship to the framework 
recommended by industry reporting standards bodies. The use of 
templates for the definitions simplifies the development and maximizes 
reuse. The other hierarchy reflects the responsibility of performing 
controls, evaluations, and tests as well as providing for the assignment of 
escalation or follow up roles. Personnel or performers in an enterprise are 
organized into a hierarchy of units which may be geographical, functional, 
market, historical or any mixture of legacy organizational structures. 
Linking of higher level nodes in the twin hierarchies allow for more efficient 
assignment of one or more controls to many units and vice versa. 

[0049] The present invention enables the rapid integration with legacy systems 
by use of templates which drive existing backend applications to present 
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integrated user interfaces. In contrast to previous approaches which either 
emphasize the automation of creating documentation or the self 
documenting nature of writing software, the present invention enables 
without the need for programming skills the definition of a self-executing 
internal control system by means of preparing the documentation of the 
internal controls and the assignment of performers. The nature of the 
definitions prepared for the internal control hierarchy encompass the 
control itself, its method of being evaluated, as well as a set of tests of the 
control. As a result of having the controls related in a hierarchy according 
to the objectives and risks prioritized by the entity, management can 
review the evaluations and tests in preparation for its assertion of 
compliance and external audit organizations can review the hierarchy of 
definitions and their test results as support for their attestation of complete 
compliance. 

[0050] 

In the production and continuous improvement phase of the present 
invention, the present invention coordinates the timely delivery of 
information to performers responsible for performing elements of the 
internal control system. Every control is defined with a type of frequency 
according to its relevant financial period and is automatically scheduled 
with appropriate lead time prior to the due date. Each assigned performer 
receives a customized email with a url to obtain detailed directions, data, 
and the on-line resources needed for that activity. A process template 
delivered to the user's client workstation is populated by the selected 
process template data defined during the design/deployment phase and 
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his submitted results recorded. The Application Container offloads 
formatting and interactivity to the client browser at the user's desktop and 
assembles the routed data and provides a mini-application. Parameters in 
each control allow reminders or escalation steps to occur in a timely 
manner according to action or even non-action thereby losing no 
transaction. 

[0051] In short, to assure regulators, stockholders, tax-payers, customers, and 
suppliers to large public and private entities that proper and thorough 
internal control have been established and are respected, new standards 
of responsibility, behavior, and measurement have come into use. The 
present invention makes it possible not only to economically comply with 
these new reporting requirements but also leverage these investments to 
contribute to the day-to-day efficient operation of the entity in its main 
business processes by addressing risks to attaining its objectives. 

[0052] 

Brief Description of Drawings 

Figure 1 . System Architecture and Process Overview 

Figure 2. Control Hierarchy and Context Data Structure 

Figure 3a and 3b Units and Sub-Unit List Data Sample and Detail Sample 

Figure 4. Creation of Definitions Flow Chart 

Figure 5a-d Internal Control Definition Sample 

Figure 6. Scheduler Flow Chart 

Figure 7. Environmental Infrastructure Architecture 

Figure 8 Application Container with Sample Data 

Figure 9 Routing Engine Flow Chart 
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Figure 10 Configuration & Initialization Flow Chart 
Figure 1 1 Hierarchical Definition Flow Chart 
Figure 12 Compliance Rules User Selection Screen 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0053] Detailed Description While this invention is susceptible of embodiments in 
many different forms, there is shown in the drawings and will herein be 
described in detail preferred embodiments of the invention with the 
understanding that the present disclosure is to be considered as an 
exemplification of the principles of the invention and is not intended to limit 
the broad aspect of the invention to the embodiments illustrated. 

[0054] Referring now to Figure 1 , System Architecture and Process Overview, 
the present invention comprises a definitional hierarchy structure, coupled 
to a plurality of context structures, and coupled to a scheduler by means of 
process template data, which scheduler is further coupled to a routing 
engine by means of process template data, which routing engine 
dynamically synthesizes, transmits, and reads micro application 
containers presented to and submitted by a plurality of users as uniquely 
directed by the process template data of each definition. As each definition 
is found within a hierarchy with its required frequency and start and due 
latency requirement, the scheduler may traverse the definition hierarchy 
and deliver the selected process template data to the routing engine. The 
process template data includes the responsible unit or performer by linking 
the unit structure found within the context data so that the routing engine 
may notify a plurality of users by email. By clicking on a url within the 
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email or otherwise connecting to the routing engine, the user, after 
authentication, accesses the process template data as presented by the 
routing engine within the appropriate process template. The user reads 
data and instructions, may optionally run mini-applications, and otherwise 
interacts with the process template and the process template data, with 
the expectation of closing the loop by submitting data or performing 
actions. In the absence of completion of the control activity observed by 
the scheduler within a proscribed time, the scheduler will monitor progress 
and message an alternate user, or escalate if necessary, recording the 
variance from expected performance for measurement. 

[0055] Referring now in detail to Figure 2 Control Hierarchy and Context Data 
Structure, a computer readable medium is disclosed which controls the 
operation of the invention by having encoded upon it a control hierarchy 
structure including a plurality of Major Areas each of which may have 
encoded upon the computer readable medium a reference to a plurality of 
Accounting Processes each of which may have encoded upon the 
computer readable medium a reference to Account Sub-Processes each 
of which may have encoded upon the computer readable medium a 
reference to Control Objectives each of which may have encoded upon 
the computer readable medium a reference to Risks each of which may 
have encoded upon the computer readable medium a reference to Control 
Execution Definition each of which may have encoded upon the computer 
readable medium a reference to a Control Evaluation Definition and to a 
Control Test Definition. 
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[0056] Each member of the Control Hierarchy Structure named above may have 
encoded upon the computer readable medium a reference to an element 
of a repository disclosed as Context Data also encoded upon a computer 
readable medium to control the operation of the invention. Each Control 
which may be executed, evaluated, or tested has a default or specified 
performer assigned from the members of the Unit Hierarchy element of 
Context Data. 

[0057] Within the Context Data is shown the Unit Hierarchy of users responsible 
for creating, performing, evaluating, or testing the Controls. Their 
responsibility may be assigned individually or by means of the hierarchy. 
Any level of the Control Hierarchy may be assigned to an individual in the 
Unit Hierarchy who shall be the default performer of every control below 
that level of Control. These defaults may be overridden by further 
assignment by category or by specific assignment to an element lower in 
that Control Hierarchy. Failure or delay of an assigned individual to 
perform a control in a timely manner automatically invokes an escalation 
procedure by the scheduler which will contact the person designated in 
the Unit Hierarchy. Thus it will be observed that the Unit Hierarchy may be 
distinguished from a traditional table of organization because the 
knowhow and appreciation of performing controls will frequently not 
correspond to the chain of command authority. 



Also with the repository of Context Data is- information useful to users 
which may be referenced by the Controls but is not embedded in each 
control for efficiency. The business logic behind each control, use of 
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standard language in creating or modifying controls, identification of 
regulatory or audit requirements that are pertinent to the controls and their 
ranges of acceptability are all centralized in the context data structure. 

[0059] Referring now to Figures 3a, and 3b Units and Sub-Unit List Data Sample 
and Detail Sample, the present invention discloses a hierarchy of units 
and sub units. Units and subunits may be further comprised of subunits or 
a plurality of persons who have either broad authority or assigned roles. 
Different persons may be assigned the performance, evaluation, and 
testing of a control or in the event of non-performance be one to whom the 
issue is escalated. 

[0060] 

Referring in detail to Figure 4. Creation of Definitions Flow Chart, a 
definition is firstly described and linked to a COSO objective, COSO 
component, control category, classification, and impact. Each definition 
may be linked to a plurality of risks. Secondly, data is collected to 
configure a process template or micro application container used to collect 
user input data started on the frequency set. The following data related to 
a process template: a frequency, a due offset, a compliance rule, 
instruction text, EAI button text, EAI command xml text, a plurality of 
supporting data fields with optional error checking data types is used to 
configure on the fly, a process template that is routed to a user via a 
business process engine. This process template is essentially a mini- 
application that has both visual and programmatic elements inserted and 
configured based on this definition. An advantage of the present invention 
over previous conventional applications is that one process template may 
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be used for any number of definitions. Optionally, each control may be 
linked to a plurality of reference documents which help the various users 
or analysts understand the control and document its significance. 

[0061] The final steps control the operation of a computer system by specifying if 
the scheduler shall notify all units defined in the unit structure, a plurality of 
units by linking to a list of Units , or a plurality of unit categories by linking 
to unit categories or not assigning controls to any units for automatic 
scheduling. In each case, it is possible to set specific overrides to default 
assignments to deal with unique and exceptional situations. In contrast to 
other implementations of controls, the definition of the control documents 
both the frequency of being run and the performer who must participate. 

[0062] 

Referring now to Figures 5a - d Internal Control Definition Sample, each 
internal control may be associated with a plurality of COSO objectives, 
Components, and Risks. Optionally they may be placed in a control 
category for ease of selection. They must have a classification and a 
assessment of impact on the overall entity. Internal control is defined for 
automation purposes as having a frequency with a window for start and 
due dates. In the preferred embodiment, instructions to the user are 
incorporated into the control with optional ability to start a backend ERP 
application data pull by hitting a user-defined button. Various data fields 
may be defined for input or display with optional checking for legitimate 
data type on input fields. A control may have links to references for further 
clarification. Each control will have a plurality of evaluations, tests, and 
assigned units. A specific control within a hierarchy may have a unit 
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assignment override that differs from the assignment that the rest of the 
hierarchical branch is assigned. 

[0063] Referring now in detail to Figure 5a Control Definition Screen Part 1 the 
present invention creates an internal control definition with a name and 
description that is linked to a plurality of Objectives, Components, 
Categories, and Risks with a classification and an impact. 

[0064] Referring now in detail to Figure 5b Control Definition Screen Part 2 each 
internal control must be set up for automation by the Process Scheduler 
by having a value for frequency and Type of process and a start and due 
value relative to the end of the financial period. Each control has an effect 
on the overall compliance score. Specific instructions are included in the 
notification to the assigned performer in an action document. The 
document may include operable buttons that execute backend ERP 
commands which are specified on this screen. 

[0065] Referring now in detail to Figure 5c Control Definition Screen Part 3 each 
internal control may be defined with input fields that have data type 
checking and captions. It may have references attached for further 
documentation of its purpose and consequences. Each control must 
specify a method of evaluation and its frequency which is selectable from 
standard methods using this screen. 

[0066] 

Referring now to Figure 5d Control Definition Screen Part 4, each control 
has a test associated with it and is assigned to a unit. Within a hierarchical 
group of controls assigned to a unit, an individual control may be assigned 
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to a specific unit overriding the hierarchically inherited assignments. 

[0067] 

Referring now to Figure 6, Scheduler Flow Chart, during system 
initialization the Process Scheduler is started manually and records the 
last time it successfully completes its run (LSR). The computer system 
itself monitors the time of day and current date and periodically starts the 
Process Scheduler at one or more specific times each day. The process 
scheduler comprises the following steps: comparing the current day and 
time of day against the Last Successful Run to determine if it is necessary 
to schedule processes, selecting one of a plurality of process types 
selected from the group consisting of controls, evaluations, and tests, 
selecting one of a plurality of frequencies selected from the group 
consisting of hourly, daily, weekly, monthly, quarterly, annually, matching 
definitions against the selected process type and frequency, computing 
the start offset for each definition and comparing to the Current Scheduler 
Date, comparing the Last Successful Run date for each definition against 
the Current Scheduler Date, identifying the Business Unit(s) linked to each 
selected definition directly or by means of Context Data Category lists, 
reading the default user assignment for each Business Unit, checking if 
the Definition overrides this specific assignment, and causing the Routing 
Engine to route the Process to the assigned user, proceeding in turn to the 
next unit identified in the definition until all are processed, proceeding in 
turn to the next definition until all are processed, proceeding in turn to the 
next frequency until all are processed, proceeding in turn to the next type 
until all are processed and setting the scheduler Date to the Last 
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Successful Run date plus one increment, in the figure shown as one day. 
This allows the scheduler to deal with a partial or multi-day outage which 
has interrupted the normal operation of the schedule and eliminates the 
possibility that processes are skipped on days that the Scheduler failed to 
complete or was prevented from running at all. Similarly, the Scheduler 
checks for Active Processes that have been initiated by the Routing 
Engine and may send a reminder to the assigned performer or cause the 
routing engine to pass this transaction on to an alternate performer or to 
escalate to a higher level of responsibility. This section checks for overdue 
processes or processes that have been in a given process step over a 
predefined limit set just for that process step and escalates the process to 
a new user. The section also checks for inactivity(a pre-cursor to 
escalation) for each process step and reminds the current user of this 
activity. The advantage of the present invention over the previous art of 
scheduling is to enable the system, in the event that a Data Center has an 
extended and unscheduled outage for several days, to automatically 
catch-up without user intervention by causing itself to repeat for all the 
missed scheduler executions once the Data Center returns on-line. 

[0068] 

Referring now to Figure 7, Environmental Infrastructure Architecture, the 
disclosed invention is shown as a practical and economical Internal 
Control System with a plurality of standard interfaces to well understood 
but poorly integrated applications known in business enterprises. 
Beginning at the top and turning clockwise, we show that display to and 
receiving input from clients in the user environment provides both the 



Page 29 of 57 



definition of controls and the performance, evaluation, and test of these 
controls. The next interface clockwise shows the integration through well 
known programmatic interfaces to external applications known as 
enterprise resource planning containing information on sales and financial 
reporting. Below that is shown the interface to a Directory Server used for 
authentication of the users who are responsible for creating, performing, 
and taking responsibility for the accuracy of the controls. In the lower right 
is shown an interface to any legacy E-mail Server, through which the 
Internal Control System will notify performers of upcoming Control actions 
as well as reminders and escalation to supervisors if actions have not 
been taken or the results require an exception to be alerted. Proceeding in 
a clockwise manner to the lower left is shown the Internal Control System 
interface to any of a number of standard computer database products 
which manage underlying resources through instructions according to the 
methods of the present invention. Finally next above is shown an interface 
to a reporting engine, which is used by the present invention to format 
according to the preferences of the users the reports charts and displays 
used to manage, document, and attest to the controls herein implemented. 
The present invention is a more practical and easily deployed application 
by utilizing information and resources already present in business 
enterprises and adding automation to the business process of internal 
controls. 

[0069] 

Referring now to Figure 8 Application Container with Sample Data, what is 
shown is the result after a user has been notified and clicks on a url and 
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has been authenticated, the process template and process template data 
defined in Figures 5a-d combined through the application container 
template method of controlling the operation of a computer system to 
deliver unique documents for action to the performers assigned to each 
scheduled control, evaluation, test, or other function. 

[0070] In this example the performer is instructed to execute a query on the 

General Ledger system and manually enter the corresponding value from 
their bank and record if the amounts reconcile. In this example the 
document is marked as a completed control for the record. Note that 
various buttons are selectively displayed or rendered inoperable according 
to the status of the control. The present invention controls the operation of 
the computer system in scheduling the preparation of this document, 
determining the buttons and fields shown on the document, determining 
the text content of the document, transmitting the document to the 
assigned performer and monitoring performance, escalating the document 
if performance does not occur in a timely manner, and scoring the 
compliance and recording out of compliance results thereby automating 
an internal financial control system. 

[0071] 

Referring in detail to Figure 9, Routing Engine Flow Chart under the 
control of the present invention, the computer system operates by first 
scheduling a definition such as the internal control execution task shown, 
identifying a performer assigned and transferring the process to the 
Routing Engine comprising the steps of firstly Looking up the target unit 
and authenticating them using a directory service thereby obtaining an 
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email address and secondly recording or updating a transaction in a 
database while sending notification to the target with a url link to the 
transaction in the database and thirdly waiting until the user clicks on the 
url to assemble a micro application container by pulling together elements 
specified by the Control Definition Screens parts 1 through 4, and 
transmitting it electronically to the users client as a process template and 
accompanying process template data for interaction and acknowledging 
subsequent submittal and recording submitted data. Processes are sent to 
the Routing Engine by the Scheduler according to the start date and if no 
response received by the due date, the Scheduler initiates a new process 
for the Routing Engine escalating the control to the performer specified in 
the unit. 

[0072] 

Referring in detail to Figure 10 Configuration & Initialization Flow Chart, 
the present invention, causing a computer system to change its operation 
according to the controls embodied on computer readable media, begins 
with the step of setting the system Time of Day and the system Fiscal 
Year End Date which may be specific for each entity or enterprise. The 
next step is to configure the number of hierarchical levels in the control 
structure and to specify the name of each hierarchical level. This sets up 
what levels the system will allow to be created above definitions of 
Controls, Evaluations, and Test. This allows a financial organization to 
apply their particular cultural naming in lieu of the standards body naming 
conventions such as Accounting Process, Accounting Sub-Process, 
Control Objective, and Risk. The next process is that of creating Context 
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Data which comprises a plurality of steps including but not limited to the 
following: Creating and populating a list of Context Data Categories, 
Creating a list of Financial Statement Accounts, Creating a list of 
Assertions, Creating a list of Reference Documents, Creating if desired a 
List of Values, Creating if desired a list of User Defined Fields to allow 
extensibility and customization, Creating if desired a list of Control 
Categories, and Creating a Unit Structure for the purpose of assigning 
users Roles for controls and associated tasks comprising the steps of 
Creating a top level Unit and then Creating a plurality of Sub-Units until all 
users who have Roles for controls and associated tasks have been 
assigned. The steps shown within dotted line boxes indicate methods that 
change the operation of the computer system by displaying different 
screens to the users according to the context data herein configured. After 
the Completion of Configuration of the hierarchy and the Context Data, the 
next step consists of Creating the Definition Hierarchy wherein the present 
invention changes the operation of the computer system according to said 
step of configuring the number of hierarchical levels and their names. 

[0073] 

Only two levels of hierarchy are mandatory, the Control and the Control 
evaluation. At installation, the other levels may be deselected for a simpler 
implementation. They will be hidden from the user post-installation. There 
may be multiple Major Areas or not as may be the case. For each Major 
Area there may be a plurality of Accounting Processes. For each 
Accounting Process there may be a plurality of Accounting Sub- 
Processes. For each Accounting Sub-Process there may be a plurality of 
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Objectives. For each Objective, there may be a plurality of Risks. For each 
Risk, there may be a plurality of Controls. The heart of the system are the 
Controls and Control Evaluations. The hierarchy above them is for clarity 
of organization and convenience of assignment. Controls and Control 
Evaluations are paired. Each Control may have a plurality of Tests. The 
list of Abbreviations is shown when any specific control is being displayed 
as a hierarchical path to locate the control within the hierarchy. 

[0074] Note also the control self-assessment setting. If the Use Control Self 

Assessment radio button was set to No, the related selection would be not 
shown or in gray. If Yes, then the installer may select from available Self 
Assessment levels and set the frequency that the organization wishes to 
perform self-assessment. Finally an optional rollup of the self- 
assessments is offered and in this case denied. 

[0075] The degree of detail for management's assertion of control efficacy is 

selectable and the appropriate documentation for the auditor's attestation 
is automatically created to support the assertion and attestation. 

[0076] Referring now to Figure 1 1 Hierarchy Definition Flow Chart, a method of 
creating a Definition Hierarchy for levels configured in the System 
Configuration which control the operation of a computer system comprise 
the steps of Creating a plurality of Accounting Processes and linking each 
Accounting Process to a plurality of Context Data, Creating a plurality of 
Accounting Sub-Processes and linking each Accounting Sub-Process to a 
plurality of Context Data, Creating a plurality of Control Objectives and 
linking each Control Objective to a plurality of Context Data, Creating a 
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plurality of Risks and linking each to a plurality of Context Data, and 
Creating a plurality of Definitions or linking to a plurality of existing 
Definitions of Internal Controls, Evaluations or Tests. Linking to an existing 
Internal Control Definition, for example, allows 2 or more Risks to share 
the same Control. 

[0077] 

Referring now to Figure 12 Compliance Rules User Selection Screen, the 
present invention enables insertion of programmatic elements into a 
Process Template to act upon supplied Supporting Data supplied by user 
at run time, a plurality of radio buttons are offered as mutually exclusive 
selections to illustrate user selection of typical calculations. The performer 
may enter in actual and estimated values for a specific calculation or enter 
in one value and pull data from a back-end ERP application. The 
performer may enter a sequence of values for a complex calculation or do 
that in combination with data pulled from an ERP application. The result 
can be categorized automatically as being below or above a threshold of 
acceptable ranges for compliance impact. This documents and 
consistently applies criteria for identifying financial measures that are 
significantly out of compliance with corporate objectives eliminating 
variation in judgment or omission of calculations. Periodically, financial 
controls must be evaluated by the performers themselves as to their 
continued accuracy and pertinence. This screen also shows how to 
accumulate and categorize self-assessments to achieve an overall score 
for reporting and planning remediations. What is being illustrated here is 
that for each Internal Control, Evaluation, or Test, the creator may select 
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from and reuse available calculations, scoring, or thresholding techniques 
without recreating or reinstantiating custom code thereby increasing 
productivity and reducing opportunities for error. 

BEST MODE FOR CARRYING OUT THE INVENTION 

[0078] Preferred embodiment In the preferred embodiment of the present 
invention everything 

• Is entirely data driven 

• No user programming is required 

• Natively integrates with intranets and email 

• Contains built-in, two-way integration with ERP, CRM, HR, and legacy 
enterprise applications 

• Runs in Windows and UNIX environments 

• Works with industry-standard application servers and databases from 
IBM, BEA, Oracle, and Microsoft 

[0079] Because it is based on a production-proven, scalable business process 
management platform, it proactively monitors and manages all the 
reminders and follow-up needed across an entire organization to ensure 
that internal control activities are completed correctly and on time. It is 
designed specifically for Sarbanes-Oxley control documentation and 
ongoing monitoring. 

[0080] 

In contrast with systems of previous design, 

• The present invention is a comprehensive corporate control 
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management solution that includes all three phases of compliance: 
control definition and documentation; ongoing control monitoring; and 
cost-minimizing attestation preparation and reporting 
The present invention is an application designed specifically for 
Sarbanes-Oxley, and not a generic tool that requires extensive 
customization and consulting. 

The present invention is built on a production-proven business process 
management (BPM) foundation to ensure quick adaptability to change. 
The present invention is more than a simple document repository. It 
also stores control activity information in a database to create detailed 
audit trails, reports and analyses. 

The present invention generates the evidence an independent auditor 
needs to issue an unqualified attestation report. 
The present invention enables users to manage and monitor a 
comprehensive set of internal controls on an ongoing basis rather than 
simply scheduling audits. 

The present invention is a full compliance management application 

that enables users to author, document, monitor, test, remediate and 

report on internal controls rather than an authoring tool. 

The present invention is an application that integrates with all ERP 

systems and instances, rather than being an ERP vendor's proprietary 

internal control tool that can't span other back-end systems. 

The present invention is a continuously monitored risk profile of an 

organization rather than a one time risk assessment utility. 
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[0081] Control Definition The present invention provides a straightforward, 
structured method for defining internal controls. 

• Provides a formal framework for defining accounting processes, sub- 
processes, control objectives, risks, and controls across the 
organization 

• Ties controls to proper context: the COSO framework, company 
policies, SEC and PCAOB rules, auditor advice, and legal opinions 

• Assigns responsibility and execution process to each control Imports 
control definitions from accounting firm tools 

[0082] 

Control Execution The present invention ensures that each and every 
control is executed on time, correctly, and completely while providing full 
visibility into the process. 

• Ensures on-time execution of controls through a proactive process of 
notification, follow-up, and escalation 

• Delivers details of each control including instructions and context to 
each user ensuring that each control is executed completely and 
correctly 

• Offers full visibility during the execution process so that management 
can take corrective action before it's too late 

• Provides full audit trail including control execution results and signoffs 

• Captures all supporting documentation in any format for each control 
execution 

• Integrates data from ERP systems directly into the Movaris Certainty 



Page 38 of 57 



process easing the compliance task and ensuring accurate and timely 
execution 

[0083] Annual Control Evaluation The present invention enables management to 
meet its evaluation obligation under the Sarbanes-Oxley. It drives the 
annual control evaluation process while offering full visibility into the status 
and results of the ongoing process. 

• Provides a systematic framework for defining, scheduling, and 
conducting the evaluations to be performed for each control 

• Defines the criteria against which the control will be evaluated and 
specifies the responsibility path and process for each evaluation 

• Ensures on-time execution of all evaluations through the designated 
process of notification, follow-up, and escalation 

• Provides real-time visibility into the status of all evaluations across the 
organization, by specific control or division 

[0084] 

The foregoing description of the embodiments of the invention are to be 
considered in all respects as illustrative and not restrictive, the scope of 
the invention being indicated by the appended claims rather than by the 
foregoing description, and all changes that come within the meaning and 
range of equivalency of the claims therefore are intended to be embraced 
therein. The embodiment described is selected to best explain the 
principles of the invention and its practical application to thereby enable 
others skilled in the art to best utilize the invention in various embodiments 
and with various modifications as suited to the particular purpose 
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contemplated. In particular, Applicants contemplate that functional 
implementation of invention described herein may be implemented 
equivalently in hardware, software, firmware, and/or other available 
functional components or building blocks. Other variations and 
embodiments are possible in light of the above teachings, and it is thus 
intended that the scope of the invention not be limited by this Detailed 
Description, but rather by Claims following. 



